How to Change 389 LDAP Password using PHP Scripting

Change 389 LDAP PasswordThis article has been prepared for the purpose of future reference for system administrator. It will describe how to change 389 ldap password using PHP scripting. In order to use this PHP script, you just need to change few parameters and also tested on CentOS 6.5. 389 LDAP Directory is an enterprise-class Open Source LDAP server for GNU/Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world.

Steps to Change 389 LDAP Password using PHP Scripting

1. Make sure your 389 ldap has been configure correctly :
2. Install php-ldap package into your apache server :

[root@ldapmaster-11 ~]# yum install php-ldap -y

3. Create changepassword.php file and put it into your apache root directory :

[root@ldapmaster-11 ~]# vim /var/www/html/changepassword.php

Modify the $server and $dn in .php file :

<?php
$message = array();

function changePassword($user,$oldPassword,$newPassword,$newPasswordCnf){
  global $message;

  $server = "localhost";
  $dn = "dc=ehowstuff,dc=local";
  $userid = $user;

  $user = "uid=".$user.",".$dn;
  error_reporting(0);
  ldap_connect($server);
  $con = ldap_connect($server);
  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);

  // bind anon and find user by uid
  $sr = ldap_search($con,$dn,"(uid=*)");
  $records = ldap_get_entries($con, $sr);

  $message[] = "Username: " . $userid;
  //$message[] = "DN: " . $user;
  //$message[] = "Current Pass: " . $oldPassword;
  //$message[] = "New Pass: " . $newPassword;

  /* try to bind as that user */
  if (ldap_bind($con, $user, $oldPassword) === false) {
    $message[] = "Error E101 - Current Username or Password is wrong.";
    return false;
  }
  if ($newPassword != $newPasswordCnf ) {
    $message[] = "Error E102 - Your New passwords do not match! ";
    return false;
  }
  if (strlen($newPassword) < 4 ) {
    $message[] = "Error E103 - Your new password is too short! ";
    return false;
  }
  if (!preg_match("/[0-9]/",$newPassword)) {
    $message[] = "Error E104 - Your new password must contain at least one digit. ";
    return false;
  }
  if (!preg_match("/[a-zA-Z]/",$newPassword)) {
    $message[] = "Error E105 - Your new password must contain at least one letter. ";
    return false;
  }
  if (!preg_match("/[A-Z]/",$newPassword)) {
    $message[] = "Error E106 - Your new password must contain at least one uppercase letter. ";
    return false;
  }
  if (!preg_match("/[a-z]/",$newPassword)) {
    $message[] = "Error E107 - Your new password must contain at least one lowercase letter. ";
    return false;
  }

  /* change the password finally */
  $entry = array();
  $entry["userPassword"] = "{SHA}" . base64_encode( pack( "H*", sha1( $newPassword ) ) );

  if (ldap_modify($con,$user,$entry) === false){
    $message[] = "E200 - Your password cannot be change, please contact the administrator.";
  } else {
    $message[] = " Your password has been changed. ";
    //mail($records[0]["mail"][0],"Password change notice : ".$userid," Your password has just been changed.");
  }
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Change your LDAP password</title>
  <style type="text/css">
  body { font-family: Verdana,Arial,Courier New; font-size: 0.7em;  }
  input:focus { background-color: #eee; border-color: red; }
  th { text-align: right; padding: 0.8em; }
  #container { text-align: center; width: 500px; margin: 5% auto; }
  ul { text-align: left; list-style-type: square; }
  .msg { margin: 0 auto; text-align: center; color: navy;  border-top: 1px solid red;  border-bottom: 1px solid red;  }
  </style>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
  <div id="container">
    <h2>Change your LDAP password</h2>
<ul>
  <li> Your new password must be 8 characters long and contain at least one letter and one digit. </li>
</ul>
    <form action="<?php print $_SERVER['PHP_SELF']; ?>" name="passwordChange" method="post">
      <table style="width: 400px; margin: 0 auto;">
        <tr><th>Username:</th><td><input name="username" type="text" size="20" autocomplete="off" /></td></tr>
        <tr><th>Old password:</th><td><input name="oldPassword" size="20" type="password" /></td></tr>
        <tr><th>New password:</th><td><input name="newPassword1" size="20" type="password" /></td></tr>
        <tr><th>New password (again):</th><td><input name="newPassword2" size="20" type="password" /></td></tr>
        <tr><td colspan="2" style="text-align: center;" >
          <input name="submitted" type="submit" value="Change Password"/>
          <button onclick="$('frm').action='changepassword.php';$('frm').submit();">Cancel</button>
        </td></tr>
      </table>
    </form>
    <div class="msg"><?php
      if (isset($_POST["submitted"])) {
        changePassword($_POST['username'],$_POST['oldPassword'],$_POST['newPassword1'],$_POST['newPassword2']);
        foreach ( $message as $one ) { echo "<p>$one</p>"; }
      } ?>
    </div>
  </div>
</body>
</html>

Reference :
https://gist.github.com/657334/98d7c111796db51059a5fd788240fd69672b8daf
http://ideone.com/Ib90W
http://technology.mattrude.com/2010/11/ldap-php-change-password-webpage/
https://gist.github.com/mattrude/657334

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7

This article will explain the steps to reset a lost root password or to reset forgotten root password on Linux RHEL 7 or CentOS 7. Basically, the steps will adding...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

1 Comment

  • Avatar for Marco Marco says:

    It’s not working for me.

    Apparently the function ldap_modify() is always returning error.

    I have debugged and found that the parameters passed are right.

    It seems to be some incompatibility with 389ds

Leave a Reply

Your email address will not be published. Required fields are marked *